- From: Adrien de Croy <adrien@qbik.com>
- Date: Mon, 07 Jun 2021 03:38:15 +0000
- To: "Paul Vixie" <paul@redbarn.org>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
I'm waiting for someone to propose https for accessLocation for OCSP Then we will have a nice little Gordian knot. CRL checks also have to use http. ------ Original Message ------ From: "Paul Vixie" <paul@redbarn.org> To: "Ilari Liusvaara" <ilariliusvaara@welho.com> Cc: "Toerless Eckert" <tte@cs.fau.de>; "ietf-http-wg@w3.org" <ietf-http-wg@w3.org> Sent: 6/06/2021 6:07:30 am Subject: Re: Port 80 deprecation >just be aware that i can't get a "localhost" certificate from an X.509 CA, and >that the overhead of running an in-house CA just to accomplish this unneccessary >purpose so that i can encrypt and decrypt data between processes who share a CPU, >is unthinkable. (the plaintext will be visible inside the process endpoints, so >there are literally not "on-path advesaries" to protect against.) > >for web-style API's inside a system image or hypervisor, TLS will mostly not be >used. where it is used, global/universal domain names and IP addresses will have >to be used (to get the X.509 CA system to work), or a private CA will be used. >this would be all cost no benefit, so, infinitely bad cost:benefit ratio. "nope." > >HTTP over TCP/80 is forever. but we can say something else if politically nec'y, >but that outcome will not change. i've already had to avoid a GoLang SMTP module >which had no non-SMTPS outbound capability and so could not talk to my private >PostFix server. the TLS-uber-alles mantra is going to lead to some real trouble. > >-- >Paul Vixie >
Received on Monday, 7 June 2021 03:38:41 UTC